When data breaches and hacking first began to make headline news years ago, the real threat was from criminals who would go after consumers’ credit card and debit card information.

They would steal access to the accounts, run up as many charges as they could before they were detected, then the bank would step in and shut down those accounts. The end result was often millions of dollars in damage, but it was somewhat contained in its scope.

It didn’t take long for criminals to realize that with a complete stolen identity—including things like birthdates and Social Security numbers—they could benefit for years to come. That information allowed them to open, use, and then discard multiple accounts, year after year, leaving a seemingly never-ending cycle for the victim.

This same type of escalation is happening now in tax scamming. Criminals have long targeted individual consumers’ identities in order to file fraudulent tax returns, hoping for a big payday. With enough people’s records, they could really rack up. But how do they go about stealing individual identities, and more importantly, why keep it small when the real payoff is in going after businesses? Targeting consumers is still a very real threat, but the growing danger is in criminals who go after businesses.

The IRS has warned businesses that scammers are targeting them, often in the form of phishing emails that appear to come from someone higher up in the company. This type of “spearphishing” email requests all the W2 forms for the entire company, for example, or access to a complete customer database. Once the recipient of the email follows through with the request, the scammer has possibly thousands of complete identities.

As of slightly more than a year ago, the IRS had seen a 400% rise in attacks that targeted businesses for their tax information.

Download the whitepaperfrom ITRC & partner, Iris On Watch, to learn more about phishing, tax fraud and the impact on employees and businesses.